The convenience of instant accessibility from nearly every corner of the world makes web sites and web-based applications powerful tools in today's economy. However, providing for user security is of utmost importance for many of these sites and applications. The ready accessibility of Internet resources opens the door to a significant risk of user spoofing and identity theft by malicious users, as well as phishing web sites that seek to take advantage of unsuspecting users and fraudulently obtain their user credentials. Thus, an effective user authentication system is an important tool that allows users and web content providers to confirm each other's identities.
Conventional authentication systems implemented on web pages often only require the user to enter a user identifier (user ID) (e.g., login, account number, or online ID) and a password. In such systems, the user will enter a user ID and password onto an authentication web page and submit the web page. The server receives and verifies the user ID and password combination before providing the user with access to the requested resource. However, conventional user ID and password systems are ineffective against malicious users that have acquired a valid user ID and password. These systems also fail to address the problem of phishing web sites that lure users into entering their user ID and password credentials into a spoofed web site that is designed to look like an authentic secure site.
More recently, systems motivated by the ineffectiveness of conventional user ID and password schemes and/or affected by new Internet authentication regulations that have been adopted in several countries, have begun to implement multi-factor authentication. Multi-factor authentication typically requires additional assurances of a user's identity before the user is authenticated to a web site. These additional assurances may include authentication process steps that are either visible or transparent to the user. As an example, a multi-factor authentication system may require a user ID and password as in conventional systems, but may also require that the IP address of the user's computer is recognized from a previous successful login by the user, or that the user answers a challenge question. Multi-factor authentication may also involve storing ‘mutual authentication data’ at the authentication server that can be provided to the user to allow the user to confirm that the web site is not a fraudulent or phishing site.
Although multi-factor authentication systems may provide additional security for users and web content providers, these systems are often complicated and costly to implement and may negatively affect the user experience. For example, multi-factor authentication which requires several successive data exchanges between the server and client may force the client application (e.g., an Internet browser window) to refresh multiple different times during the authentication process, causing delays and frustrating the user experience. Furthermore, the implementation of multi-factor authentication systems and the integration of these systems into existing web pages may pose substantial costs since the web-based applications may require a large amount of additional software that must be integrated into the existing web pages, and a significant effort in software development and testing may be required to verify the new authentication system. This process may also detract from the consistent look and feel of the web site, and may negatively affect the overall appearance by attempting to mesh the new authentication user interface components into the architecture and style of the previously implemented web site.